CVE-2023-53717: wifi: ath9k: Fix potential stack-out-of-bounds write in ath9k_wmi_rsp_callback()
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath9k: Fix potential stack-out-of-bounds write in ath9k_wmi_rsp_callback()
Fix a stack-out-of-bounds write that occurs in a WMI response callback
function that is called after a timeout occurs in ath9k_wmi_cmd().
The callback writes to wmi->cmd_rsp_buf, a stack-allocated buffer that
could no longer be valid when a timeout occurs. Set wmi->last_seq_id to
0 when a timeout occurred.
Found by a modified version of syzkaller.
BUG: KASAN: stack-out-of-bounds in ath9k_wmi_ctrl_rx
Write of size 4
Call Trace:
memcpy
ath9k_wmi_ctrl_rx
ath9k_htc_rx_msg
ath9k_hif_usb_reg_in_cb
__usb_hcd_giveback_urb
usb_hcd_giveback_urb
dummy_timer
call_timer_fn
run_timer_softirq
__do_softirq
irq_exit_rcu
sysvec_apic_timer_interrupt
Security readout for executives and security teams
Plain-English summary
CVE-2023-53717 is a Linux kernel flaw in the ath9k Wi-Fi driver path. After a command timeout, a later response callback can write to a stack buffer that may no longer be valid. The public record does not provide CVSS, confirmed exploitation, or a complete business-impact assessment.
Executive priority
Treat this as a targeted kernel maintenance item unless your fleet depends on ath9k Wi-Fi hardware. There is no source-backed evidence of active exploitation, but kernel memory corruption issues should be remediated through normal patch cycles once vendor fixes are available.
Technical view
The issue is a potential stack out-of-bounds write in ath9k_wmi_rsp_callback()/ath9k_wmi_ctrl_rx after ath9k_wmi_cmd() times out. The fix resets wmi->last_seq_id to 0 on timeout so a stale response is not copied into an expired stack-allocated cmd_rsp_buf.
Likely exposure
Exposure appears limited to Linux systems using the ath9k Wi-Fi driver path, especially ath9k HTC USB-related handling shown in the trace. The source bundle lists Linux kernel versions and stable commits, but does not provide distribution-specific affected package ranges.
Exploitation context
The issue was found by a modified syzkaller and includes a KASAN stack-out-of-bounds report. The bundle says KEV is false and provides no cited evidence of active exploitation, public exploit availability, or real-world compromise.
Researcher notes
The key condition is a timeout in ath9k_wmi_cmd() followed by response handling that writes through a stale stack buffer pointer. Source detail supports root-cause analysis, but not exploitability, attacker prerequisites, or reachable attack surface in deployed environments.
Mitigation direction
Update to a vendor kernel containing the cited stable fixes.
Check Linux distribution advisories for backported fixes.
Prioritize hosts using ath9k-supported Wi-Fi hardware.
If ath9k is unused, review vendor guidance on disabling the driver.
Track kernel package updates across embedded and appliance images.
Validation and detection
Inventory Linux systems with ath9k or ath9k_htc modules present.
Map running kernel versions to vendor fixed package versions.
Confirm relevant stable commit fixes are included or backported.
Review kernel logs for ath9k timeout or KASAN-related reports.
Validate remediation after reboot into the patched kernel.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cve · low confidence lookup
CVE-2023-53717 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
0ADP providers
9Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
Oct 22, 2025, 13:23 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.